1. Purpose
This policy defines how Genesis Revolution Group Inc protects the confidentiality, integrity and availability of information assets, including client data, financial data and operational systems. It applies to every person who accesses Genesis systems, currently the sole founder and any future employees, contractors or vendors.
2. Governance
The founder and CEO, Anna Alencar, is accountable for information security at Genesis. Security-related questions, incidents and requests can be sent to contact@genesisrevolutiongroup.com. This policy is reviewed at least annually and after any material change to the operation.
3. Access control
Authentication
- Multi-factor authentication is required on every critical system that stores or processes financial or client data, including banking (Chase), payment processors (Stripe), source control (GitHub), cloud infrastructure and third-party APIs.
- Production infrastructure is accessed exclusively through SSH key-based authentication with passphrase-protected keys. Password-based SSH is disabled.
- Passwords for shared services are stored in a password manager with a strong master passphrase and MFA.
Authorization
- Access follows the principle of least privilege. Each identity holds only the permissions strictly needed for its role.
- Third-party API credentials (Plaid, Stripe, Anthropic, OpenAI and others) are stored in environment files with restrictive filesystem permissions and never committed to source control.
4. Data protection
In transit
- All data exchanged between clients, servers and third-party APIs travels over TLS 1.2 or higher. HTTP is not accepted for any production endpoint.
At rest
- Sensitive fields containing financial information received from Plaid or similar sources are encrypted at the application layer using proven cryptographic libraries.
- Database backups are encrypted before they leave production infrastructure.
- Local secrets files are protected with restrictive file permissions and stored outside of any version-controlled directory.
5. Vendor and API management
Genesis only integrates with vendors that publish clear security and privacy documentation. When onboarding a new vendor, we review their published policies, their SOC or ISO certifications when available, and their data handling terms. Vendor credentials are rotated whenever a compromise is suspected.
6. Software development and change management
- Source code is stored in private repositories with branch protection on the default branch.
- Automated dependency scanning is enabled to flag known vulnerabilities in third-party libraries.
- Changes are reviewed before being merged and deployed to production.
- Operating systems and package managers on production infrastructure are patched on a regular cadence.
7. Incident response
If Genesis becomes aware of a security incident that affects client or financial data, we will:
- Contain the incident and revoke any compromised credentials immediately.
- Investigate the scope and root cause.
- Notify affected users and impacted third parties (including Plaid and the relevant financial institutions) as required by applicable law and contract.
- Document the incident, the response and the corrective actions taken.
8. Employee and contractor security
Any future employee or contractor with access to Genesis systems will be required to acknowledge this policy in writing, use MFA on every access, and complete basic security awareness training before receiving credentials.
9. Continuous improvement
Genesis is an early-stage company. We are actively expanding this program as we grow. Substantive updates to this policy will be reflected in a new version number and effective date at the top of this page.